PRIVACY NOTICE
The website www.hfw.com is owned by HFW (Holman Fenwick Willian LLP).
We care about your privacy. This Privacy Notice explains how we collect and use your personal data. Please read it carefully. If you have any questions about this Privacy Notice, or if you want to enforce your rights, please contact HFW’s Global Privacy Officer, Sakina Chenot at privacy@hfw.com or +44 (0)20 7264 8169. If you are based in Singapore, you may contact HFW’s Data Protection Officer (“DPO“), Gwen Yeoh, at privacy@hfw.com or by telephone at +65 6411 5370. If you are based in Brazil, you may contact CAR’s DPO, Fernando Albino, at Fernando.albino@car-law.com.br or by telephone at +55 (11) 975308326.
This section provides a brief summary. To find out more, please use the links on the left-hand side of this page.
HFW is an international law firm with offices and associated legal entities across the world. The controller of personal data collected through our Website is Holman Fenwick Willan LLP. There are a number of entities through which HFW provides legal and other services. The identity of the relevant data controller will depend on the location where legal or other services are provided. Please see “Who are we” tab for more details on which HFW entity will be the data controller in each country. In certain circumstances, Holman Fenwick Willan LLP or another HFW entity may also be a controller of your personal information, for example certain personal information processed using, or accessible via, global systems.
Your personal data may also be shared between HFW’s offices and associated entities as necessary or appropriate. Please know that we’ve put measures in place to keep your personal data safe whichever HFW entity processes it.
HFW adopts a consistent approach towards protecting personal data and therefore this is a global privacy notice that applies to all of our offices. It is based on the data protection principles that are set out in the UK and relevant European Union data protection laws. Where we have offices in jurisdictions with significantly different data protection laws it may be that the rights and obligations set out in this Privacy notice do not apply or a supplemental privacy notice is applicable.
Any additional privacy notices that we provide to you will be issued where it is appropriate for us to do so. Those notices supplement and should be read together with this Privacy notice.
“Personal data” in this Privacy Notice has the same meaning as in the EU General Data Protection Regulation 2016/679/EU (GDPR). Essentially, it means information which relates to a living individual who can be identified from that information, either by itself or when combined with other data likely to come into our possession. Personal data can include information collected by certain cookies, IP addresses, or tracking technologies if it builds up a profile of you.
We collect and use personal data in order to carry out a business which provides legal services. Any other activities and processing which we carry out is to support this primary aim. Our purposes and lawful grounds for processing your personal data vary, depending on our relationship with you and on the activity in question. You can find out more information on this by clicking on the relevant links in the ‘What we collect and how we use it’ tab. We will never sell your personal data to any third parties.
We will only keep your personal data for as long as necessary to fulfil the purposes for which we collected and continue to process it, and to satisfy any legal, accounting or reporting requirements.
Where applicable we respect your data protection rights, including to request access, rectification, restriction, deletion or “porting” of your data, and to object to our use of your data, including for marketing. We do not make any decisions about you based solely on automated profiling.
For general information about our use of artificial intelligence (AI) tools which we may use, from time to time, to enhance the quality and/or efficiency of our legal services or internal administrative processes and procedures, please click on the “Use of AI” link on the left-hand side of this page.
You also have the right to complain to the applicable national data protection authority if you are not satisfied with the way we process your personal data (see the ‘Your Rights’ tab), but we strongly encourage you to contact us first so that we can try to address your concerns.
There are several entities through which Holman Fenwick Willan (“HFW”) provides legal and other services. The HFW group entity that collects your data will be a controller of your personal data. The identity of the relevant data controller will depend on the location where legal or other services are provided.
Our offices and separate legal entities are as follows
- Holman Fenwick Willan LLP, the owner of this Website and the data controller of information gathered through it. It operates through the London, Brussels, Shanghai and Shenzhen offices. HFW is a limited liability partnership registered in England and Wales (with registered number OC343361) and is authorised and regulated by the Solicitors Regulation Authority. The firm’s registration number is 509977. HFW’s registered office is 8 Bishopsgate, London EC2N 4BQ, United Kingdom. HFW is registered with the UK Information Commissioner’s Office, with registration number Z1842662.
- Our Paris office operates through Holman Fenwick Willan France LLP.
- Our Piraeus office operates through Holman Fenwick Willan International, Vassos, Exarchou & Partners Law Firm.
- Our Dubai office operates through Holman Fenwick Willan Middle East LLP.
- Our Singapore office operates through Holman Fenwick Willan Singapore LLP.
- Our Abu Dhabi office operates through Holman Fenwick Willan MEA LLP.
- Our Houston office operates through Holman Fenwick Willan USA LLP.
- Our Geneva office operates through Holman Fenwick Willan Switzerland LLP.
- Our Hong Kong office operates through Holman Fenwick Willan Hong Kong.
- Our Australian offices operate through Holman Fenwick Willan Australia.
- In Kuwait legal services are provided by Holman Fenwick Willan LLP in association with Attorney Rula Dajani.
- In Brazil legal services are provided by Costa, Albino & Rocha Sociedade de Advogados (CAR) in strategic cooperation with Holman Fenwick Willan LLP.
- In Monaco legal services are provided by HFW Monaco SARL.
- In the British Virgin Islands legal services are provided by HFW LXP BVI Ltd.
- In Saudi Arabia legal services are provided by Holman Fenwick Willan Law Firm.
If you have any questions or comments about this Privacy Notice, or if you wish to exercise your rights, please contact our Global Privacy Officer, Sakina Chenot, at anytime:
- By email: privacy@hfw.com
- By telephone: +44 (0)20 7264 8169
- By post: Sakina Chenot, Global Privacy Officer, HFW, 8 Bishopsgate, London EC2N 4BQ, United Kingdom
Please note that we can only respond to you once we have received your letter safely, and that our response may therefore be slower if you use post.
- Visitors to our Website. Please click here for more information on what personal data we process and how we use it.
- Client contacts. Please click here for more information on what personal data we process and how we use it.
- Business contacts. Please click here for more information on what personal data we process and how we use it.
- Third parties involved in client matters. Please click here for more information on what personal data we process and how we use it.
- Suppliers and service providers and their personnel. Please click here for more information on what personal data we process and how we use it.
- Visitors to our offices. Please click here for more information on what personal data we process and how we use it.
- Applicants for work experience, apprenticeship, and graduate recruitment opportunities with us. Please click here for our graduate recruitment privacy notice.
- Applicants for other opportunities with us. Please click here for our job applicant privacy notice
- Webinars. Please click here for our webinars privacy notice.
About cookies
Cookies are very small, simple text files that websites use to perform certain technical functions, which are stored on your computer. On this Website, we use cookies to count the number of visitors to the Website, to see which pages are most popular, and to see whether you are a new or returning visitor. We do not (and cannot) use cookies to identify you personally. By using our website you agree that we can set and use these cookies.
The cookies we use
Email tracking
If you register to receive our briefings, alerts or event invitations we use tracking technology to collect information about you through such emails in the following ways:
- Opening emails: if you open the email either by downloading images in the email or clicking in a link we log such activity on our database.
- View as web page: If you click on the “view it as a web page” link, a tracking code is passed in the link so that the web page is personalised in the same way as the email.
- Links to web pages: If you click on any web link, we pass a tracking code in the link to the web page which we use to log such activity on our database.
- Unsubscribe: If you click unsubscribe, we will automatically log this information on our database. If you unsubscribe from any email invitation or alert, we will continue to store your personal data on a ‘marketing suppression list’ in order to make sure that we respect your wishes in the future.
- Event RSVP buttons: In our event invitations and confirmations we provide buttons to allow you to accept, decline, cancel and register (if you are not the original recipient of the email) for that event. Clicking on these buttons will pass a tracking code so we can record your choice in our database to help us manage the event.
We do this to assess whether our emails are useful or interesting to you, and to tailor them accordingly. We also need to track whether you have accepted or rejected an event invitation, so that we can administer such events.
To enable us to provide the services set out in this Privacy notice, we might transfer your personal information to countries outside the jurisdiction where you provided it or where we collected it. Where this is the case, we will ensure that your information is treated securely and that the means of transfer provides adequate safeguards as required by data protection regulations. This may also involve us conducting a Transfer Impact Assessment.
Transfers within the HFW group and transfers to and from clients
Where personal data is transferred between HFW’s legal entities and offices to jurisdictions that the relevant data protection authorities have not deemed as providing ‘adequate’ data protection standards, we have implemented the appropriate safeguards such as standard contractual clauses. For transfers outside of Europe and the UK, these include Standard Contractual Clauses (SCCs) and the UK Addendum (if applicable), or the UK’s International Data Transfer Agreement (IDTA).These are specific contracts approved by the UK ICO and the European Commission which give individuals’ personal data the same level of protection which would be available within the UK or EEA. For a list of HFW’s offices and legal entities please see ‘Who we are’.
For further particulars/information on the arrangements set out above please Contact us.
Transfers to third parties
Some of your personal information may be stored in a cloud located within or outside of the UK, the EEA or your own jurisdiction and managed by a third-party service provider. In adopting this approach, the confidentiality of your personal information is important to us, and we conduct careful due diligence on the security of any third-party technology systems we use.
Where appropriate for certain client matters, we may use third party experts or advisors who are located outside the UK or EEA. When we transfer personal data to such third party advisors it will usually be on an ad hoc basis, and in accordance with instructions from our clients.
Depending on the circumstances and the services we are providing we may also need to transfer personal data to other kinds of third parties, for example local regulators, parties involved in a transaction, or opponents in litigation, as necessary.
Where the recipient is located in a country which has not been deemed “adequate” by the relevant data protection authorities , we transfer the personal data using one of the following measures:
- Where we use certain service providers on a recurring basis, we will seek to put in place Standard Contractual Clauses approved by the relevant data protection authority.
- Where the transfer is on an ad hoc basis, to a service provider which we do not regularly use, we will only transfer the personal data if:
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- We have the individual’s explicit consent;
- The transfer is necessary for the conclusion or performance of a contract in the interest of the individual concerned, and we are party to that contract; or
- The transfer is necessary in order to perform a contract between us and the individual concerned, or the implementation of pre-contractual measures taken at the individual’s request.
- The transfer is a one-off which is necessary to meet the firm’s compelling legitimate interests.
In order to prevent unauthorised access, or disclosure of your personal data we have put in place appropriate physical, technical and organisational measures. Our service providers are required to do the same. Some of our security measures include:
- The pseudonymisation and encryption of personal data.
- The firm’s IT department in London has an Information Security Management System that is compliant with the International Standard ISO 27001We conduct an annual audit of our security controls using a third-party CREST accredited security specialist. In addition, we conduct security self-assessments on a quarterly basis and report findings to our Risk Committee.
- Laptops, desktops and mobile devices are encrypted and locked down.
- We have a full Business Continuity Plan in place and review it annually. It covers the restoration of the firm’s business activities in line with the SRA Code of Conduct.
- We deliver mandatory training to all staff on data privacy rights and responsibilities when it comes to processing any personal data.
The transmission of information via the internet is never completely secure. Once we have received your information, we will use strict procedures and security features to keep it safe, for example emails sent externally from HFW are encrypted using TLS.
Where you are using our IT services and we have given you (or you have chosen) a password to access certain parts of our Website, you are responsible for keeping this password confidential. Please do not share your password with anyone, except as required within your organisation.
We will make any required disclosures of any breach of the security, confidentiality, or integrity of your electronically stored personal data to you either directly or by posting a clear notice on our Website without undue delay.
We only keep your personal data for as long as it is necessary to fulfil the purposes for which we collected it. This includes the purposes of satisfying any legal, regulatory, accounting, reporting requirements, to carry out legal work, and for the establishment or defence of legal claims.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you would like more information about the retention periods that we apply to your personal data, please contact us at privacy@hfw.com.
HFW may, from time to time, use artificial intelligence (AI) tools and products to enhance the quality and/or efficiency of its legal services or internal administrative processes and procedures.
These AI services may involve the processing of your personal data. In so far as is possible, and as required by law, we ensure that any third-party AI service providers we engage comply with applicable data protection and AI laws and we maintain appropriate technical safeguards and measures to protect your personal data and usage of AI technology.
For the avoidance of any doubt, AI is used by the firm to enhance the quality and efficiency of the firm’s services, and it does not replace the expertise of our legal professionals. Although the use of AI tools may support and inform the firm’s decision-making and advice, ultimate responsibility for, and oversight of, our work shall always remain with our experienced legal professionals and colleagues.
Data protection laws globally grant individuals with certain rights in relation to their personal data. These rights apply to the processing of an individual’s personal data carried out by our offices and by our other group entities. Below is a summary of your rights and what we will require from you before we can respond to such requests.
- Right to be informed about how your personal data is used
You have the right to be informed about how we will use and share your personal data. This Privacy notice is designed to satisfy this right by providing an explanation to you in a concise, transparent and easily accessible format and being written in clear and plain language. - Right to object to processing of personal data in certain circumstances including where personal data is being used for marketing purposes
You have the right to object to our processing of your personal data. When we receive your objection, we will assess our legal grounds for processing and will stop processing the personal data if we cannot demonstrate compelling legitimate grounds to continue processing the personal data. You have the right to ask us not to process your personal data for marketing purposes, including profiling (e.g. tracking your usage of our Website) to the extent that it is related to direct marketing. You can exercise your right to prevent such processing by ticking certain boxes on the forms we use to collect your personal data, or by contacting us at any time. - Right to access your personal data
The GDPR gives you the right to find out whether we are processing your personal data and, where that is the case, to receive a copy of the personal data we process. Right to withdraw your consent to the processing of your personal data.If we process your personal data on the grounds of your consent, you have the right to withdraw your consent at any time. Please also note that we may still be permitted to process your personal data on other grounds, for example to fulfil a contract with you or as required by law. Therefore, withdrawing your consent to the processing of your personal data does not always result in the firm ceasing the processing activity.
- The right to request the restriction of your personal data
You have the right to ask us to restrict our processing of (i.e. stop using) your personal data if you think that it is inaccurate, that we are processing it illegally, or that we no longer need it for the purposes for which it was collected. While we consider your request, we will stop processing your personal data within a reasonable time from the date we receive your request. We will notify you of our decision and any justifications for continuing to process your personal data as soon as we can. - The right to request amendment(s) and/or to delete your personal data
You have the right to request amendmentsto your personal data at any time if it is inaccurate. If it is incomplete, you have the right to have the information completed, taking into account the purposes of processing.You also have the right to require us to delete your personal data as soon as possible where one of the following applies:
- the personal data is no longer necessary for the purposes for which they were collected or otherwise processed;
- you withdraw your consent to us processing your personal data and we have no other legal grounds for processing it;
- the personal data has been unlawfully processed;
- the personal data must be erased for compliance with a UK or EU legal obligation on us;
- the personal data relates to a child as defined by applicable data protection legislation.
- The right to personal data portability
You have the right to receive personal data which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those personal data to another data controller. - Right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect – you have a right not to be subject to a decision which is based solely on automated processing and where the decision will produce a legal effect or a similarly significant effect on you.
- Right to complain to your local national data protection authority If you feel that we have processed your personal data unfairly or unlawfully, you have the right to complain about us to the relevant national data protection authority, although please contact us first so that we can try to put things right.
How to exercise your rights
You can exercise your rights at any time by contacting our Global Privacy Officer, Sakina Chenot, at privacy@hfw.com. If you are based in Singapore, you may contact HFW’s DPO, Gwen Yeoh at privacy@hfw.com or by telephone at +65 6411 5370. If you are based in Brazil, you may contact CAR’s DPO, Fernando Albino, at Fernando.albino@car-law.com.br or by telephone at +55 (11) 975308326.
Please include in your email:
- A clear statement on which rights you are seeking to enforce;
- A full description of the information or type of information that you are writing about.
In certain circumstances, we may ask you to confirm your identity by providing us with certain documents confirming your identity. Such requests will only be made where it is proportionate and necessary for us to do so and in order to protect your data. We may ask you for clarification about your request, so that we can manage your request as quickly and efficiently as possible.
No fee usually required
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is repetitive. In addition, we may refuse to comply with your request if it is manifestly unfounded or excessive.
Time limit to respond
We aim to respond to all legitimate requests within one calendar month (or earlier in accordance with applicable laws). Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Our Website sometimes contains links to external files and websites. The fact that we link to a file or website is not an endorsement, authorisation or representation of our affiliation with it. We do not exercise control over third party files or websites.
These other websites may place their own cookies or other files on your computer, collect data or solicit personally identifiable information from you. Other websites follow different rules regarding the use or disclosure of the personally identifiable information you submit to them. We encourage you to read the privacy policies or statements of the other websites you visit.
Our legal and ancillary services and our Website are not aimed at children, except for the provision of some corporate and social responsibility projects (“CSR Projects”) or work experience schemes, which are governed by separate privacy notices. If you are a parent or guardian and you become aware that your child has provided us with personal data without your consent, please contact us.
Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate and feasible, notified to you by email.
Please check back frequently to see any updates or changes to our Privacy Notice.
July 2020: The Visitors to our Offices section of the Privacy Notice has been updated.
August 2020: A webinars section has been added to the Privacy Notice.
February 2022: The “Who we are” section has been updated.
May 2023: The “Who we are” section has been updated.
June 2023: The “Who we are” section and “Contact us” sections have been updated.
November 2023: The “Who we are” section has been updated.
September 2024: The “Who are we” section has been updated.
June 2025: Overview page updated to reference insertion of a new “Use of AI” section, clarification of the scope of application of this notice, and numerous changes have been made to each of the main sections mainly to update contact details and improve the accessibility and intelligibility of this notice.
Last updated: May 2025